The short version: website trackers fall into four categories — analytics scripts, ad/retargeting pixels, fingerprinting, and CNAME cloaking. Browser extensions (uBlock Origin) block the most tracker types on desktop but don't work on iPhone. Safari content blockers work on iPhone but only in Safari. DNS-level blocking works across all apps and platforms but misses first-party and CNAME-cloaked trackers. VPN-based filtering provides the broadest cross-platform coverage. The best approach depends on your platform and how many of your devices you want protected. Below: the complete breakdown.
Blocking methods compared: platform support and tracker types caught
| Blocking method | iPhone | Mac | Android | Analytics | Ad pixels | Fingerprinting | CNAME cloaking |
|---|---|---|---|---|---|---|---|
| Browser extensions (uBlock Origin) | No (not on Safari iOS) | Yes (Firefox, Chrome) | Yes (Firefox) | Yes | Yes | Yes (most) | Yes (with uBO + Firefox) |
| Safari content blockers | Yes (Safari only) | Yes (Safari only) | No | Yes | Yes | Partial | No |
| DNS-level blocking | Yes (all apps) | Yes (all apps) | Yes (all apps) | Yes (dedicated hostnames) | Yes (dedicated hostnames) | No | No |
| VPN-based filtering | Yes (all apps) | Yes (all apps) | Yes (all apps) | Yes (dedicated hostnames) | Yes (dedicated hostnames) | No (but blocks fingerprinting scripts' hostnames) | Partial (some via threat intelligence) |
Let's unpack what these tracker types are, why each blocking method catches some but not others, and what the practical setup looks like on each platform.
What website trackers actually are
The term "website tracker" is vague, which is why most blocking advice is vague too. Let's be specific. There are four distinct types of tracking technology on the web, and they work differently, which means different blocking methods catch different ones.
1. Analytics scripts
Google Analytics, Plausible, Matomo, Mixpanel, Amplitude, Heap — these are JavaScript libraries that website owners embed in their pages to understand visitor behavior (which pages get visited, how long people stay, where they click, where they drop off). Google Analytics is by far the most common, present on over 55% of all websites. The tracking works by loading a JavaScript file from an external domain (e.g., google-analytics.com) which executes in your browser and sends data about your visit back to the analytics service. The data typically includes: page URL, referrer, screen size, browser, OS, time on page, scroll depth, and clicks. Google Analytics also sets cookies that persist across visits, allowing it to recognize returning visitors.
2. Advertising and retargeting pixels
The Meta Pixel (formerly Facebook Pixel), Google Ads conversion tracking, TikTok Pixel, Twitter/X Pixel, LinkedIn Insight Tag, Pinterest Tag — these are scripts that website owners install to report visitor behavior back to ad platforms. When you visit a product page on an e-commerce site that has the Meta Pixel, Facebook learns that you viewed that product. Later, when you open Instagram, Facebook shows you an ad for that exact product. This is "retargeting" — the mechanism behind the "I looked at shoes and now I see shoe ads everywhere" experience. The tracking works similarly to analytics: a JavaScript file loads from the ad platform's domain, executes in your browser, and sends data. The difference is that ad pixels are explicitly designed to build a cross-site behavioral profile for advertising purposes.
3. Browser fingerprinting
Fingerprinting doesn't rely on cookies or identifiers stored on your device. Instead, it uses characteristics of your browser and device to build a probabilistically unique identifier. The data points collected include: screen resolution, installed fonts, WebGL renderer string (your GPU), audio context fingerprint, canvas rendering output, timezone, language, platform, browser plugins, CPU core count, available memory, and dozens more. Combined, these data points create a fingerprint that uniquely identifies over 90% of browsers. The key property of fingerprinting is that it's stateless — clearing your cookies doesn't change your fingerprint because the data comes from your hardware and software configuration, not from anything stored locally.
Fingerprinting is harder to block because it uses standard browser APIs (Canvas, WebGL, AudioContext) that legitimate websites also need for normal functionality. Blocking these APIs breaks websites. The most effective defense is either randomizing the API outputs (which Firefox's Enhanced Tracking Protection and Brave do for some APIs) or blocking the fingerprinting scripts from loading at all (which requires knowing which scripts are fingerprinting — something browser extensions like uBlock Origin do through filter lists maintained by the community).
4. CNAME cloaking
CNAME cloaking is the tracking industry's response to DNS-level blocking. Here's how it works: instead of loading the tracking script from analytics.tracker.com (which a DNS filter would block), the website creates a CNAME DNS record that maps a subdomain like data.example.com to the tracker's infrastructure. Your browser sees the request going to data.example.com — which looks like a first-party request to the site you're visiting — and DNS-level blockers don't block it because the hostname belongs to the website itself. The actual data still flows to the tracking company's servers via the CNAME redirect, but the blocking layer doesn't see the redirect because it happens at the DNS infrastructure level, not at the browser level.
CNAME cloaking is currently used by a relatively small percentage of websites (estimates range from 10-15% of major publishers), but it's growing because it effectively bypasses DNS-level blocking. The only tools that reliably catch CNAME cloaking are: uBlock Origin on Firefox (which resolves CNAME chains before applying filter rules), and some specialized blocklists that track known CNAME cloaking setups (NextDNS maintains one of the best). Safari content blockers and standard DNS filters don't catch it.
Blocking trackers on iPhone
iPhone has the most constrained blocking options of the three platforms because iOS doesn't allow browser extensions in Safari (except Apple's Content Blocker API) and doesn't permit apps to modify other apps' behavior. Your options are:
Safari content blockers (1Blocker, AdGuard for Safari, Wipr): these use Apple's Content Blocker API to provide Safari with declarative rules that block network requests to known tracker domains and hide tracking elements on the page. They're effective for analytics scripts and ad pixels that load from known third-party domains. They don't catch fingerprinting (because fingerprinting uses standard APIs, not external scripts, in many implementations) and they don't catch CNAME-cloaked trackers (because the content blocker sees the first-party domain, not the CNAME target). They only work in Safari — Chrome, Firefox, and in-app browsers are unaffected. Setup: App Store > install the content blocker > Settings > Safari > Extensions > enable it.
DNS-level blocking (Casper's Cloak, NextDNS, AdGuard DNS): these block tracker hostnames at the DNS layer, which works across every app on your phone — not just Safari. When Instagram's app tries to resolve graph.facebook.com for tracking purposes, the DNS filter blocks it. This catches analytics scripts and ad pixels that use dedicated third-party hostnames. It doesn't catch CNAME-cloaked trackers (the DNS query is for the first-party subdomain, and the filter doesn't see the CNAME chain) or fingerprinting (which doesn't require an external hostname). Casper's tracker blocking maintains blocklists covering approximately 50,000 known tracker endpoints. NextDNS offers comparable coverage with more granular per-list configuration.
The recommended iPhone setup: use both — a Safari content blocker for in-browser tracker blocking (including cosmetic hiding of tracking elements) plus DNS-level blocking for system-wide coverage across all apps. The two layers don't conflict. The content blocker handles the residual trackers that DNS can't distinguish from legitimate content, and the DNS filter handles the app-level tracking that content blockers can't see.
iOS built-in protections: Safari's Intelligent Tracking Prevention (ITP) automatically limits cross-site cookies and storage access for known trackers. App Tracking Transparency removes the IDFA from tracker network requests. These help with identity tracking but don't block the network requests themselves — the tracker scripts still load, execute, and send data; they just have a less complete picture of who you are. We covered the gap in detail in our post on what App Tracking Transparency doesn't stop.
Blocking trackers on Mac
Mac has the broadest set of blocking options because macOS supports full browser extensions, system-level DNS configuration, and VPN clients with the same capabilities as iOS.
Browser extensions (best option for in-browser tracking): uBlock Origin on Firefox is the gold standard. It blocks analytics scripts, ad pixels, and fingerprinting scripts using community-maintained filter lists (EasyList, EasyPrivacy, Peter Lowe's, and many others). On Firefox specifically, uBlock Origin can resolve CNAME chains before applying filter rules — making it the only consumer tool that reliably catches CNAME cloaking. uBlock Origin is also available for Chrome (and Chromium-based browsers), though Google's Manifest V3 extension framework has limited some capabilities. If you use Safari on Mac, Safari content blockers (1Blocker, AdGuard for Safari) provide similar tracker blocking through Apple's Content Blocker API, though without CNAME uncloaking.
DNS-level blocking: the same DNS-based filters that work on iPhone work on Mac — NextDNS, Casper's Cloak, AdGuard DNS. On Mac, these catch tracker connections from all applications (not just browsers), including Electron apps, email clients, and background processes that make network calls. The same limitation applies: DNS blocking catches trackers on dedicated hostnames but misses CNAME-cloaked and first-party trackers.
The recommended Mac setup: uBlock Origin on your primary browser (Firefox for maximum coverage, including CNAME uncloaking) plus system-level DNS filtering for non-browser applications. If you use Safari as your primary browser, use a Safari content blocker plus DNS filtering. This combination catches the broadest set of tracker types across both browser and non-browser contexts.
Blocking trackers on Android
Android offers a middle ground between iPhone's restrictions and Mac's openness. You can install Firefox with full uBlock Origin support (which gives you the best in-browser tracker blocking available on any mobile platform), plus system-level DNS filtering.
Firefox + uBlock Origin (best in-browser option): unlike iOS, Android allows Firefox to run full browser extensions. Install Firefox from the Play Store, then add uBlock Origin from Firefox's add-ons menu. You get the same filter lists and CNAME uncloaking capability as the desktop version. This is the single best in-browser tracker blocker available on any mobile platform — it catches analytics, ad pixels, fingerprinting scripts, and CNAME-cloaked trackers.
Private DNS (Android 9+): Android has built-in support for DNS-over-TLS via the "Private DNS" setting (Settings > Network & internet > Private DNS). You can point this to a filtering DNS resolver like NextDNS or AdGuard DNS for system-wide tracker blocking without installing a VPN app. This is lighter-weight than a VPN and doesn't use the VPN slot. The trade-off: no network encryption beyond DNS (your other traffic is unencrypted on public WiFi), and the same DNS-level limitations apply (no CNAME uncloaking, no first-party tracking detection).
VPN-based filtering: Casper's Cloak, AdGuard for Android, and similar apps provide the same VPN-based DNS filtering on Android as they do on iOS. On Android you get the additional benefit of being able to run Firefox + uBlock Origin simultaneously — the VPN handles system-wide DNS filtering while uBlock Origin handles the deeper in-browser filtering that DNS can't cover (fingerprinting, CNAME cloaking, cosmetic element hiding).
The recommended Android setup: Firefox with uBlock Origin as your default browser, plus either Private DNS pointed to a filtering resolver (for DNS-only blocking) or a VPN-based filter (for DNS blocking plus network encryption). This combination gives you the broadest tracker blocking of any mobile platform.
The trackers you can't block (and what to do about them)
Every blocking method has the same structural ceiling: server-side tracking. When a website sends your purchase data to Facebook from their server (via Meta's Conversions API) or processes analytics server-side (via Google's Measurement Protocol), no client-side tool can see or block that traffic. The data flows between two servers you don't control. Your browser or DNS filter never sees it because the request doesn't originate from your device.
Server-side tracking is growing specifically because client-side blocking has become effective. Advertisers and analytics providers are moving their data collection to the server side to bypass the blocking tools that users have adopted. Meta's Conversions API is now used by the majority of large e-commerce sites. Google's server-side tagging is becoming standard in enterprise analytics implementations.
What you can do: you can't block server-side tracking with device-level tools. What you can do is: (1) minimize the data you provide (don't create accounts on every site, use guest checkout when available, don't link social accounts), (2) use services that do less tracking (DuckDuckGo instead of Google Search, Proton Mail instead of Gmail, Signal instead of WhatsApp), and (3) block the client-side trackers that feed data into server-side systems — when the Meta Pixel can't fire on your device, the Conversions API gets less data to work with because the client-side behavioral data it normally correlates isn't available. Client-side blocking doesn't stop server-side tracking directly, but it degrades the server-side system's effectiveness by removing the client-side signals it depends on.
Cross-platform setup summary
If you have multiple devices and want consistent tracker blocking across all of them, the simplest approach is a single DNS-level filter that covers every device on your account. Casper's Cloak and NextDNS both support multi-device configurations — one account, one set of blocklists, applied to your iPhone, Mac, and Android devices. This gives you a consistent baseline of tracker blocking across all platforms. Layer browser-specific tools on top for deeper coverage: Safari content blocker on iPhone, uBlock Origin on Mac (Firefox or Chrome), uBlock Origin on Android (Firefox).
- iPhone: Safari content blocker (1Blocker or AdGuard) + Casper's Cloak or NextDNS for system-wide DNS filtering.
- Mac: uBlock Origin in Firefox (or Safari content blocker if you use Safari) + Casper's Cloak or NextDNS for system-wide DNS filtering.
- Android: Firefox with uBlock Origin + Casper's Cloak, NextDNS via Private DNS, or AdGuard for system-wide DNS filtering.
Total setup time across all three platforms: approximately 30 minutes. The result: analytics scripts, ad pixels, and most third-party tracker network requests are blocked on every device you own, in every app, with additional fingerprinting and CNAME protection in browsers that support the right extensions.
Bottom line
Website trackers are not a single technology — they're four distinct mechanisms (analytics, ad pixels, fingerprinting, CNAME cloaking), each blocked differently by different tools. No single tool catches all four on all platforms. Browser extensions (uBlock Origin on Firefox) come closest in the browser but don't work on iPhone Safari or in non-browser apps. DNS-level blocking works across all apps and platforms but misses fingerprinting and CNAME cloaking. The practical approach is layering: a browser-level tool for the deepest in-browser blocking, plus a DNS or VPN-level tool for system-wide coverage. This combination addresses the overwhelming majority of tracker types across all your devices. The remaining gap — server-side tracking — is a structural limitation of any client-side tool, and the best response is to minimize the data you provide to services that use it.